Solved: Re: Ports on ASA

laurabolda · ‎04-26-2010

We have 4 ports on the ASA 5510. Port 0 is Outside, Port 1 is inside, Ports 2 and 3 are not in use.

1. If I configure ports 2 and 3 as Inside interfaces, using the same subnet as port 1 (192.168.100.0), do I connect ports 1, 2, and 3 using cross over cables? Is there a special configuration that I need to configure so that there is communication between the servers in these ports?

2. If I configure ports 2 and 3 as Inside interfaces, would you use the same subnet or different subnets from port 1?

3. What do people normally use ports 2 and 3?

Let me know if you want to see the current config or need additional information. Thanks.

Jennifer Halim · ‎04-26-2010

1) You can't configure port 2 and 3 to be in the same subnet as port 1 on ASA 5510. They are not switch port. All ports on ASA 5510 are routed ports, so you have to configure different subnets for each port.

2) If you are using port 2 and 3 as an interface, they need to be in different subnets from inside interface.

3) People normally uses the other spare ports for DMZ zone - where your server zone will be separated from outside and inside networks.

Hope that helps.

View solution in original post

Jennifer Halim · ‎04-26-2010

Yes you can.

Example:

Inside: 192.168.100.0/24 (security level 100)

DMZ: 192.168.101.0/24 (security level 80)

On the configuration, you would have the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

You need to add access-list on the dmz interface if you would like the dmz subnet to communicate to the inside subnets.

View solution in original post

Jennifer Halim · ‎05-07-2010

Hi Laura,

1) To ping to 192.168.102.3 from 192.168.100.1, you would need to add the following line:

static (Inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255

2) To ping to 192.168.100.1 from 192.168.102.3, you would need to configure access-list on DMZ interface, because traffic from low security level to high security level is not permitted by default:

access-list dmz-acl permit icmp any any

access-group dmz-acl in interface Dmz

3) To ping 192.168.102.3 when connected via VPN Client, you would need to configure the following:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nonat

I have also had a look at your split tunnel ACL, you are using extended ACL for majority of the split tunnel ACL, it needs to be standard ACL instead.

For example:

The following extended ACL:

access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

Needs to be changed to standard ACL:

access-list split-acl standard permit 192.168.100.0 255.255.255.0
access-list split-acl standard permit 192.168.102.0 255.255.255.0

The split tunnel ACL: "split-acl" is currently applied to vpn group "techsupport", so after the above changes, you should be able to ping 192.168.102.3 from "techsupport" vpn group.

Hope that helps.

View solution in original post

Jennifer Halim · ‎05-08-2010

1) The static NAT statement should be as follows:

static (Dmz,outside) 66.102.7.89 192.168.102.3 netmask 255.255.255.255

2) Split tunnel ACL used to be extended ACL in PIX version 6.3 and below, however, since PIX/ASA version 7.0 and above, you would need to use standard ACL to configure split tunnel. Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404816

Hope that answers your questions.

View solution in original post

Jennifer Halim · ‎04-26-2010

1) You can't configure port 2 and 3 to be in the same subnet as port 1 on ASA 5510. They are not switch port. All ports on ASA 5510 are routed ports, so you have to configure different subnets for each port.

2) If you are using port 2 and 3 as an interface, they need to be in different subnets from inside interface.

3) People normally uses the other spare ports for DMZ zone - where your server zone will be separated from outside and inside networks.

Hope that helps.

laurabolda · ‎04-26-2010

Halijenn,

Thanks very much for your information and prompt response. So, port 2 and 3 need to be on a different subnets from port 1. Is it possible to make the servers on port 1 to communicate to servers on port 2? For example, port 1 has 192.168.100.0 and port 2 has 192.168.101.0. Thanks.

Jennifer Halim · ‎04-26-2010

Yes you can.

Example:

Inside: 192.168.100.0/24 (security level 100)

DMZ: 192.168.101.0/24 (security level 80)

On the configuration, you would have the following:

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

You need to add access-list on the dmz interface if you would like the dmz subnet to communicate to the inside subnets.

laurabolda · ‎05-07-2010

Halijenn,

I just added port 2 as DMZ. From the ASA, I am able to ping to the workstation 192.168.102.3. From the workstation 192.168.102.3, I am able to ping to 192.168.102.250 which is port 2 of the ASA. I am unable to ping to 192.168.102.3 from 192.168.100.1. I am unable to ping to 192.168.102.3 when I login to VPN client with techsupport group policy.

Attached is the config file. Please let me know if you need additional information.

Thanks.

Federico Coto Fajardo · ‎05-07-2010

Laura,

To be able to communicate from the inside to DMZ (192.168.100.1) to (192.168.102.3) you require NAT (if having nat-control enabled), and either ACL permitting the ICMP repiles back or inspection of ICMP.

Add the following command to see if it works:

global (DMZ) 1 interface

To be able to PING the DMZ devices when connected via VPN, you need to add the bypassing rules for NAT (as you have for the inside interface):

nat (Inside) 0 access-list nonat

Federico.

laurabolda · ‎05-07-2010

Federico,

Thanks for your prompt response and information. I am still unable to ping from 192.168.100.1 to 192.168.102.3. I am not able to ping to 192.168.102.3 when I login to Cisco VPN client with the techsupport group policy. Do you have any other suggestions?

Thanks.

Laura

Federico Coto Fajardo · ‎05-07-2010

Communication between the inside and DMZ will not be translated because of this:

access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

nat (Inside) 0 access-list nonat

The above line will allow communication between those networks without NAT.

Try adding the following:

access-list DMZ permit ip any any

access-group DMZ in interface DMZ

Federico.

laurabolda · ‎05-07-2010

Thanks for your prompt response and information. Now, I can't ping the DMZ interface 192.168.102.250 from the ASA. Do you want me to start configure DMZ interface from scratch? Thanks.

Federico Coto Fajardo · ‎05-07-2010

Laura,

You cannot PING the DMZ's IP 192.168.102.250 from the ASA itself?

Yes, go ahead and reconfigure the DMZ interface from scratch and let's take it from there.

Federico.

laurabolda · ‎05-07-2010

Thanks Federico. I probably won't be able to reconfigure the DMZ interface today. Looks like I will have to continue this on the weekend or Monday. I need to take care of the production problems. I will let you know the status.

Thanks very much for your help.

Jennifer Halim · ‎05-07-2010

Hi Laura,

1) To ping to 192.168.102.3 from 192.168.100.1, you would need to add the following line:

static (Inside,Dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255

2) To ping to 192.168.100.1 from 192.168.102.3, you would need to configure access-list on DMZ interface, because traffic from low security level to high security level is not permitted by default:

access-list dmz-acl permit icmp any any

access-group dmz-acl in interface Dmz

3) To ping 192.168.102.3 when connected via VPN Client, you would need to configure the following:

access-list dmz-nonat permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Dmz) 0 access-list dmz-nonat

I have also had a look at your split tunnel ACL, you are using extended ACL for majority of the split tunnel ACL, it needs to be standard ACL instead.

For example:

The following extended ACL:

access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list split-acl extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

Needs to be changed to standard ACL:

access-list split-acl standard permit 192.168.100.0 255.255.255.0
access-list split-acl standard permit 192.168.102.0 255.255.255.0

The split tunnel ACL: "split-acl" is currently applied to vpn group "techsupport", so after the above changes, you should be able to ping 192.168.102.3 from "techsupport" vpn group.

Hope that helps.

laurabolda · ‎05-07-2010

Halijenn,

Thank you very much for taking time to look at the config. I just fixed some of the production problems. So, my brain is shut down. I will go back and look at your suggestions. I really appreciate you are taking time to help me out. Thanks again.

Laura

Jennifer Halim · ‎05-07-2010

Pleasure, have a great weekend.

laurabolda · ‎05-08-2010

Halijenn,

I won't be able to test today. I think I disconnected the cable on port 2 on Friday. I need to come in the office to check the physical connection. I have some questions:

1. You said

"The following line is incorrect, so you might want to remove it:

static (Inside,Dmz) 66.102.7.89 192.168.102.3 netmask 255.255.255.255"

If I want to NAT the private web server IP address 192.168.102.3 to a public IP address, how would you write it?

2. You recommended to change the Extended Split-ACL to Standard Split-ACL. Is it because the Extended ACL is not necessary or is it incorrect coding?

Again, thank you very much for taking time to look at the config.